1 AAF Environment - Beijing
2 =========================
7 You must be connected to the WindRiver "pod-onap-01" VPN to gain access
13 At this time, there is no known DNS available for ONAP Entities. It is
14 recommended that you add the following entry into your "/etc/hosts" on
15 your accessing machine:
19 10.12.6.214 aaf-onap-beijing-test aaf-onap-beijing-test.osaaf.org
21 Environment Artifacts (AAF FS)
22 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
24 AAF has an HTTP Fileserver to gain access to needed public info.
26 http://aaf-onap-beijing-test.osaaf.org/-
31 AAF does support User/Password, and allows additional plugins as it
32 did in Amsterdam, however, User/Password credentials are inferior to
33 PKI technology, and does not match the ONAP Design goal of TLS and
34 PKI Identity across the board. Therefore, while an individual
35 organization might avail themselves of the User/Password facilities
36 within AAF, for ONAP, we are avoiding.
38 THEREFORE: **GO WITH CERTIFICATE IDENTITY**
46 `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
51 At time of Beijing, an official Certificate Authority for ONAP was
52 not declared, installed or operationalized. Secure TLS requires
53 certificates, so for the time being, the Certificate Authority is
54 being run by AAF Team.
59 | The Root Certificate for ONAP Certificate Authority used by AAF
60 is \ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__
61 | Depending on your Browser/ Operating System, clicking on this link
62 will allow you to install this Cert into your Browser for GUI
65 This Root Certificate is also available in "truststore" form, ready
66 to be used by Java or other processes:
72 - `truststoreONAP.p12 <http://aaf-onap-beijing-test.osaaf.org/truststoreONAP.p12>`__
73 - This Truststore has ONLY the ONAP AAF\_RootCA in it.
75 - `truststoreONAPall.jks <http://aaf-onap-beijing-test.osaaf.org/truststoreONAPall.jks>`__
76 - This Truststore has the ONAP AAF\_RootCA in it PLUS all
77 the Public CA Certs that are in Java 1.8.131 (note: this is
78 in jks format, because the original JAVA truststore was in
81 Note: as of Java 8, pkcs12 format is recommended, rather than jks.
82 Java's "keytool" utility provides a conversion for .jks for Java 7
88 Certificates certify nothing if there is no identity or process to
89 verify the Identity. Typically, for a company, an HR department
90 will establish the formal organization, specifically, who reports to
91 whom. For ONAP, at time of Beijing, no such formalized "Org Chart"
92 existed, so we'll be building this up as we go along.
94 Therefore, with each Certificate Request, we'll need identity
95 information as well, that will be entered into an ONAP Identity
96 file. Again, as a real company, this can be derived or accessed
97 real-time (if available) as an "Organization Plugin". Again, as
98 there appears to be no such central formal system in ONAP, though,
99 of course, Linux Foundation logins have some of this information for
100 ALL LF projects. Until ONAP declares such a system or decides how
101 we might integrate with LF for Identity and we have time to create
102 an Integration strategy, AAF will control this data.
104 For each Identity, we'll need:
109 | # 0 - unique ID (for Apps, just make sure it is unique, for
110 People, one might consider your LinuxFoundation ID)
111 | # 1 - full name (for App, name of the APP)
112 | # 2 - first name (for App,
115 | # 5 - official email
116 | # 6 - type - person
117 | # 7 - reports to: If you are working as part of a Project, list
118 the PTL of your Project. If you are PTL, just declare you are the
124 | # 0 - unique ID - For ONAP Test, this will be the same a the App
126 | # 1 - full name of the App
128 | # 3 - App Description, or just "Application"
129 | # 5 - official email - a Distribution list for the Application, or
130 the Email of the Owner
131 | # 6 - type - application
132 | # 7 - reports to: give the Application Owner's Unique ID. Note,
133 this should also be the Owner in AAF Namespace
135 Obtaining a Certificate
136 '''''''''''''''''''''''
138 There are 3 types of Certificates available for AAF and ONAP
139 community through AAF. People, App Client-only, and App Service
140 (can be used for both Client and Service)
142 Process (This process may fluctuate, or move to iTrack, so revisit this page for each certificate you request)
151 1. Email the AAF Team
152 (jonathan.gathman@`att.com <http://att.com>`__, for now)
154 2. Put "REQUEST ONAP CERTIFICATE" in the Subject Line
156 3. If you have NOT established an Identity, see above, put the
157 Identity information in first
159 4. Then declare which of the three kinds of Certificates you
162 1. **People** and **App Client-only** certificates will be
165 1. You will receive a reply email with instructions on
166 creating and signing a CSR, with a specific Subject.
168 2. Reply back with the CSR attached. DO NOT CHANGE the
171 1. Subject is NOT NEGOTIABLE. If it does not match the
172 original Email, you will be rejected, and will
173 waste everyone's time.
175 3. You will receive back the certificate itself, and some
176 openssl instructions to build a .p12 file (or maybe a
177 ready-to-run Shell Script)
179 2. *App Service Certificate* is supported by AAF's Certman
181 1. However, this requires the establishment of Deployer
182 Identities, as no Certificate is deployed without
185 2. Therefore, for now, follow the "Manual" method,
186 described in 4.a, but include the Machine to be the
192 People Certificates can be used for browsers, curl, etc.
194 Automation and tracking of People Certificates will be proposed for
197 In the meantime, for testing purposes, you may request a certificate
198 from AAF team, see process.
200 Application Client-only
203 Application Client-only certificates are not tied to a specific
204 machine. They function just like people, only it is expected that
205 they are used within "keystores" as identity when talking to AAF
208 PLEASE USE your APP NAME IN CI/CD (OOM, etc) in your request. That
209 makes the most sense for identity.
211 Automation and tracking of Application Certificates will be proposed
214 In the meantime, for testing purposes, you may request a certificate
215 from AAF team, see process.
220 This kind of Certificate must have the Machine Name in the "CN="
223 AAF supports Automated Certificate Deployment, but this has not been
224 integrated with OOM at this time (April 12, 2018).
228 - Please request Manual Certificate, but specify the Machine as
229 well. Machine should be a name, so you might need to provide
230 your Clients with instructions on adding to /etc/hosts until
231 ONAP address Name Services for ONAP Environments (i.e. DNS)
235 https://aaf-onap-beijing-test.osaaf.org
237 Note: this link is actually to the AAF Locator, which redirects you
240 The GUI uses the ONAP AAF Certificate Authority (private). Before
241 you can use the Browser, you will need to
246 Certificate <#AAFEnvironment-Beijing-RootCertificate>`__
248 - Obtain a Personal Certificate above
250 - Add the Personal Certificate/Private key to your Browser.
251 Typically, this is done by having it packaged in a
252 P\ https://zoom.us/j/793296315